THE PROCESS OF WRITING AN AUDIT REPORT

Objectives of Audit Reporting

The six objectives of audit reporting are:

1. Formally present the audit results to the auditee (and the audit client if
different from the auditee).

2. Serve as formal closure of the audit engagement.

3. Provide statements of assurance and, if needed, identification of areas

requiring corrective action and related recommendations.

4. Serve as a valued reference for any party researching the audit entity or audit
topic.

5. Serve as the basis for a follow-up audit if audit findings were presented.

6. Promote audit credibility when well developed and well written.

WRITING THE REPORT

Communication Factors

 Well-structured and clearly written formal IS audit reports promote audit

credibility and help the reader to understand the key points of the audit
in an effective and efficient manner.
 Formal reporting processes incorporate stringent review and approval,
editing reviews, and the exposure of draft reports to the auditees. The
importance of a well-written draft report cannot be overstated.
 The information in the IS audit report needs to be verifiable and
presented in a constructive tone and an unbiased manner.
 Starting with audit planning and progressing through the audit process
is the continued opportunity to identify the interests and communication
requirements of the report’s most immediate readership. This
assessment enables better determination of the language to be used,

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 the need for defining terminology and the degree of explanation
required in the report.

Key Success Factors

Informative.

- written in a clear, concise and persuasive manner.

- professionally presented in terms of structure, format, ease of finding
information and writing style.
- well organized and well written and present audit results in a balanced,
fair and objective manner.

Logical Sequence .

- present the material in a focused and logical sequence.

- Concise implies that words and sentences are direct and sentences are
not overly wordy or too lengthy.
- Although the audit report may present material in a logical sequence
and in a concise manner, it may need to be lengthy to adequately cover
the audit and its results.
- When writing the report, the auditor should consider whether the
readers are likely to spend time methodically reading and studying the
report

Persuasive.

- report needs to be convincing.

- present arguments for action in a manner so that the reader
understands the importance of taking action and the risk and
opportunity loss of not taking action.
- consider ways that information can be presented to assist the reader in
understanding the key points of the argument.

Sufficient Information.

 What is the reader’s knowledge of the subject matter?

 To what extent do the readers of the report already know about the
issues?

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
  Also consider whether additional or supplemental information can be
beneficial.
 Providing references or copies of supplemental information in an
appendix can often assist the reader in gaining a better understanding
of report material.

Length and Content of an IS Audit Report

The length and content of an IS audit report depend on the following:

• Predefined requirements that are mandated by auditing standards

• Additional requirements that are dictated by the needs of various
readers
• Complexity of the material
• Reporting protocols that are established by the audit organisation

The factors that impact the content and length of the report include the following:
• Type of audit
• Complexity of entity operations and systems
• Number of audit objectives and audit findings
• Different readership categories
• Details needed to make the content understandable
• Disclosures
• Required supplemental information

Using the IS Audit Report Template

This section provides directions on how to use the audit report template and
examples where relevant.

Title Page. The following information should be included on the title page:

• Heading entitled ‘Independent Auditor’s Report’

• Name of the audit organization
• Report title
• Name of the audit entity
• Audit period covered by the audit

Signatory and Transmittal Page.

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 - usually presented on the audit organization’s letterhead.
- identifies what the audit organization is presenting in terms of the audit
report.
- The text identifies the audit, the period when the audit work was
completed, and date of report issuance, and indicates that the report
contains conclusions and/or an opinion.
- serves as a transmittal page when the audit report is formally
transmitted from the audit organization to the auditee and, if needed, a
client. The transmittal content on the page identifies the purpose of the
audit and those to whom the report is directed. The transmittal content
also includes a disclaimer of liability for the use of the report for anything
other than its stated purpose.
- The signatory and transmittal page also provides a statement about
compliance with appropriate audit standards and that the evidence
obtained provides a reasonable basis for the conclusions and any
findings. This page contains the signature of the chief audit executive
of the audit organization or firm. Because the name and/or logo of the
audit organization should also be on this page, the signatory and
transmittal page can be presented on the audit organization’s
letterhead.

Table of Contents.

- an aid for the reader to quickly identify the scope of content or to find a
particular part of the audit report.
- used when reports are lengthy or contain a number of items in an
appendix.

Introduction.

- provides external readers with sufficient information regarding the type

of audit entity, its mission and primary business objectives, and the
purpose of application systems and supporting technology that was
subject to audit.
- useful for IS audit reports whose readership likely includes oversight
authorities, legislative bodies, government agencies, organizations
independent of the audit entity and the general public. An introduction

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 may also be useful for internal audit reports if departments in an
organization may be unfamiliar with the audit entity/technology.

Executive Summary.

- includes a high-level description of the primary message of the report,

key audit objectives and a brief summary of audit results.
- it should not be used to sensationalize audit results. Rather, it should
be informative and to the point.

Audit Scope.

- identifies the authority to perform the audit, the name of the auditee
organization and audit entity, and the period covered by the audit.
- audit scope should indicate the expected breadth of audit work and topic
areas covered by the audit.
- should identify any limitations or topic areas not included in the audit
that the readership will likely think should be included in the audit.
- indicate the relevant body of auditing standards that governed the audit
work.

Audit Objectives.

- identifies the items to be evaluated or assessed by the audit.

- auditor needs to consider whether the audit objectives can be presented
in hierarchical terms, presenting the uppermost audit objective first with
secondary objectives to follow.
- When writing an audit objective, be careful to not imply that the auditor
is responsible for internal control.
- The statements of audit objectives depend on the type and scope of the
audit.

Audit Methodology.

- identify the nature and extent of audit work, audit criteria, sources of
audit criteria, whether reliance was placed upon the work of other
professionals, the type of analysis performed, and the basis for
conclusions drawn.

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 - state that a management representation letter was obtained from the
auditee acknowledging management’s responsibility for establishing
and maintaining an effective system of internal control to achieve
operational objectives, manage risk, and comply with legal
requirements.
- The management representation letter should also state that all
information that is relevant to the audit was provided in a timely manner
to the auditors and that access to policies and procedures, systems of
record, electronic systems and files, reports of activities, other audit
reports, and personnel was not restricted. This information may also be
covered under disclosures.
- identify whether the work of other auditors or professionals was relied
upon and the extent to which such reliance was made.
- identifies audit planning and audit engagement procedures.

Audit Conclusion or Opinion.

- to provide an overall conclusion or opinion with respect to the

engagement’s audit objectives.
- For audits that meet the requirements of obtaining sufficient, relevant
and reliable evidence and have complied with other auditing standards,
the audit reports generally include either an opinion or a disclaimer. A
disclaimer states that an opinion could not be provided due to limitations
of audit procedures and audit evidence.

Opinions can be one of three types:

• Unqualified Opinion: An unqualified opinion is presented when the audit

evidence substantially reflects what is expected to be in place and in effect,
according to the audit criteria.

- unqualified opinion represents a ‘clean bill of health’ with respect to the

audit objectives.
- unqualified opinion is not a statement of assurance that all processes
and systems in the organization are fine.

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 Qualified Opinion: A qualified opinion is presented when the audit evidence
substantially reflects what is expected, except for a deficiency that, on its
own, does not render an adverse result.
- a qualified opinion may be expressed if the auditor is, ‘unable to obtain
sufficient and appropriate evidence on which to base an opinion, but
concludes that the possible effects on the IS audit objectives of
undetected weaknesses, if any, could be material but not pervasive’.
- The audit report should include an explanatory paragraph stating the
reasons why a qualified opinion is expressed in the report. It is
recommended to present this as a separate paragraph, directly before
the qualified opinion. If the qualification is due to a limitation of scope,
then the scope paragraph should inform the reader of the qualification.

Adverse Opinion: An adverse opinion is presented when the audit evidence

substantially reflects a material difference from what is expected to be in
place and in effect, according to the audit criteria.
- expressed when adequate controls are not in place or in effect to
provide reasonable assurance that control objectives are met, or that
there is a reasonable likelihood that the control objectives are not met.

Disclaimer. A disclaimer is a statement that an opinion cannot be rendered

due to the lack of sufficient, relevant and valid evidence upon which to base
an opinion.

- a disclaimer is generally expressed when the auditor also concludes,

‘the possible effects on the IS audit objectives of undetected
weaknesses, if any, could be material and pervasive’.

Audit Results.

- to provide a more detailed explanation of the engagement audit

findings. The overall conclusion or opinion of the audit determines
whether the report should contain an audit results section. If the report
contains an unqualified opinion, then it is unlikely that audit findings are
included. For reports containing qualified or adverse opinion, audit
findings are included.

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 - Audit findings are provided in the audit report when action is required to
correct a deficiency in a process or its related controls.
- audit report includes audit findings for reports with qualified opinions or
adverse opinions. Five key elements, or attributes, need to be
addressed when presenting an audit finding are: condition, criteria,
cause, effect and recommendation.

Constructing Well-written IS Audit Reports

A good audit report contains precise and concise facts that are easily
understood by the readers. In addition to terminology, language, report
structure, content requirements and protocol, sentence structure and
punctuation are also important considerations. To do this requires more than
avoiding technical jargon, slang, complex vocabulary or overly lengthy
complex sentences. If a report is misunderstood, it may be discarded, or
needed action may not be taken.

Key Rules

Following are key rules of writing that can aid in constructing well-written
audit reports.

1. Avoid technical jargon, colloquiums or words that the readership is

unlikely to fully understand. For technical terms, include a definition or
explanation within the text or glossary.

2. Avoid faulty predication of mismatching a subject with a predicate noun.

3. Use noun markers like much and less before nouns that refer to things
that cannot be counted. Use many, few and fewer before nouns that
identify a specific number or objects that can be counted.

4. Ensure that adjective phrases are hyphenated.

5. Avoid overusing nouns. Sentences containing several nouns can be

confusing to the reader. Be careful not to use nouns inappropriately as
modifiers.

6. Avoid the double negatives trap. A double negative may cause the
intended meaning to be negated or it may confuse the reader. When the

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 resulting, or potential, adverse impact is significant, it might be tempting
to overuse negative meaning words, such as never, not, none, neither,
nothing and nor.

7. Avoid abbreviating comparisons or mismatching superlatives. Audit

reports are likely to contain comparisons when there are audit findings.
Ensure that comparatives and superlatives are used correctly when
using adjectives and adverbs. Regarding comparatives or superlatives,
avoid using ‘–er’ and ‘more’, or ‘–est’ and ‘most’, at the same time.

8. Avoid using one or two commas to set off an essential modifier that is
required for the meaning of the sentence.

9. As a general rule, avoid having one or two words between the word ‘to’
and the verb. Dividing the word ‘to’ from the verb, which is referred to
as a split infinitive, can lead to confusion or misinterpretation.

10. Avoid misplaced modifiers. Misinterpretation can result if modifiers are

separated from the very words they are intended to modify, or if the
intended word is missing.

11. Ensure that appropriate co-ordinating links (e.g., ‘and’, ‘or’, ‘therefore’
or ‘however’) are used to join independent clauses when writing
compound sentences. This can strengthen a logical sequence and
improve the overall flow. Be careful not to overuse the word ‘and’,
because sentences containing too many ‘and’ words can be confusing
to the reader.

Follow these steps to ensure that the report is understandable and well written:

• The content, in terms of stated facts and numbers, should be double-

checked and reviewed by another individual.

Nothing can hurt the credibility of an audit report like inaccurate numbers,
incorrect references and misstatements.

• Read sections of the report in reverse order to focus on stated facts and
identify misspellings.

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 • Read the report out loud to hear (and feel) how it sounds. This technique
is useful when assessing the flow of logic and wording.

FINALINAZING THE REPORT

Including Additional Information.

- auditor replies are included to acknowledge corrective action that was

taken or is planned, or identify any results or recommendations in the
audit report that management responses did not address.
- Other additional information includes a description of subsequent
events that may be material to the audit, items to be inserted in an
appendix and any additional disclosures.

Final Editing, Review and Approval.

- new information was added while finalizing the report, and depending
on the feedback received from the auditee, certain parts of the report
may need to be re-written to strengthen the report.
- After the additional information is included and any changes are made,
the audit report should be subjected to a final review by senior audit
management before the report is issued. If extensive changes were
made to the text or difficult concepts were added, the report may require
an additional editing review prior to the senior management review and
approval.

Subsequent Events.

- include information pertaining to any events that occurred after the audit
field work was completed and before the audit report is issued that have
a material impact on the report subject matter and require amendment
or disclosure regarding the subject matter.
- - inquire with auditee management about subsequent events that may
be material to the audit subject matter.

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 Disclosures.

- disclose any qualifications or limitations in scope or audit work that was

performed during the audit. Further explanations may be needed
regarding reportable items, efforts taken to avoid impairments, events
subsequent to the audit, etc.
- During the audit, IS auditors may discover certain conditions that can
impact control or operational risk, such as discrepancies in
recordkeeping, unsupported transactions, conflicting audit evidence or
problematic matters. The latter can include difficulties in obtaining
evidence, conducting interviews or performing audit tests.

OTHER CONSIDERATIONS FOR REPORT DISTRIBUTION

Compliance With Legal Requirements

Laws and regulations impact the responsibilities of the organizations that are
being audited and the responsibilities of the auditor. Legal requirements that
are incorporated within a contract for audit services, laws and regulations
may impact the auditor’s responsibility for audit work, especially for reporting.

Information to Include in the Final Report

For certain types of audits, the auditor may be required to include very
specific information in the final audit report.

IS Audits

Audit report content may be extended to include internal controls over IT

systems that support financial reporting and business operations, reporting
on regulatory compliance, and reporting on potential illegal acts that were
detected during the audit. In addition, deadlines by which audit reports must
be issued may be detailed in government regulations. Because IS audits are
usually focused on complex or new technology, the audit reports may require
further explanation and a glossary of terms. An additional concern may
involve how legal terms are defined from jurisdiction to jurisdiction. For

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 example, the key elements of fraud are not exactly the same in all countries
and jurisdictions.

Identify Legally Mandated Reporting Requirements

Laws and regulations vary across the globe. While the identification of
applicable law may extend over municipal, state, provincial and federal law,
the auditor should ensure that reporting guidelines that are promulgated by
oversight authorities are also included. Even if the auditor is versed in
performing legal research, legal services may be needed to ensure that
legally-mandated reporting requirements are identified and correctly
interpreted. For audits that involve government expenditures, subsidies and
grants, granting authorities can have reporting guidelines that need to be
addressed. The same body of law that was initially identified regarding the
responsibilities of the organization being audited can be an excellent starting
point to identify reporting requirements.

Communicating Possibility of Illegal or Fraudulent Activity

Reporting protocols and requirements regarding possible illegal acts and

fraudulent activity should be established by the audit organization. If, during
the course of the audit, sufficient evidence indicates that illegal acts or fraud
have occurred, are occurring, or are likely to occur, then these concerns
should be reported to audit management and appropriate parties, which may
include law enforcement.

When and to Whom to Report Possible Fraud

It is extremely important to ensure that any reporting of possible illegal

activity is not construed as the auditor’s legal opinion. Even if the auditor
were an officer of the court, an explicit determination by the auditor is
inappropriate.

If, in the course of performing audit steps that are designed to detect fraud,
the evidence demonstrated a reasonable likelihood that illegal acts or fraud
had or were occurring, then there may be sufficient predication on the part of
management or law enforcement to initiate an investigation. At this juncture,

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 reporting protocols are extremely important and additional considerations
regarding audit evidence come into effect.

Issuing Separate Confidential Reports

Some circumstances require a separate confidential report, with limited

distribution, to be released concurrently with the engagement audit report.
Typically, a single audit report is prepared and issued that identifies the audit
results for all audit objectives. Occasionally, reports contain information that
could be exploited and place the organization or other stakeholders at
increased risk. IS auditors often examine and provide conclusions and
opinions on highly sensitive operational areas. The auditor should determine
whether:

1. Adequate reporting can be provided without including a level of detail that

can lead to exploitation of the deficiency.

2. The entire report can be designated as confidential and distribution can

be limited.

3. A separate report can be issued that contains the highly sensitive or

security-related information.

The report can be issued as confidential and distribution can be significantly

limited.

Depending on the type of operational or control deficiencies, the auditor

needs to ensure that only authorized parties have access to the audit report.
Under such circumstances, the auditor needs to consider whether a separate
report may be warranted, due to the level of detail that is provided and the
planned distribution of the report. The confidential report, which is connected
to the larger report, should indicate the report number that relates to the
public report number or the corresponding finding that relates to the public
finding or generic finding.

Although the above issue tends to be far more critical when audit reports are
made available to a wide readership, such as to external users and the
public, a separate report may be advisable even when distribution is within

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe
 the business enterprise. Labelling the report as confidential and that further
distribution is prohibited also helps to reduce secondary distribution.

Meeting Future Reporting Expectations

The trends today reveal that report users have an increased need to be
provided with more information about business organizations, rather than less.
Continued emphasis has focused on enhancing disclosures in financial audits
of publicly traded organizations. The demands for further information have
been driven by business clients, customers, oversight authorities and
legislatures. The trend is for better, faster and more comprehensive reporting.
From proponents of governance to regulators, there has been a strong interest
in independent assessment and reporting of organisational compliance with
laws and regulations.

Auditing in A CIS Environment

Topic: The Process of Writing an Audit Report
Prepared by: Maribel Sta. Rosa-Zafe